ESET researchers uncover cyber-attack on Android using popular arcade games such as Plants vs Zombies, Candy Crush or Super Hero Adventure.
Users in India are currently the most affected, with 73.58% of malware detections observed.
ESET, a global pioneer in proactive protection for more than two decades, has recently discovered a stealth attack on Android users. 
Cybercriminals used popular arcade games such as Plants vs Zombies, Candy Crush or Super Hero Adventure to deliver backdoor Trojan directly onto victims’ devices. These malicious downloads were made available on the official Google Play Store. According to ESET telemetry, Android users in India are currently the most affected, with 73.58% of these detections observed.
ESET detects the games that install the Trojan as Android/Trojan Dropper. Mapin and the Trojan itself as Android/Mapin. The packaged application is dropped silently onto the device but has to ask the user to actually install it. The app requesting the installation is passed off as a ‘Manage Settings’ app. After installation, the application runs in the background as service.
It’s the backdoor Trojan that takes control of your device and makes it part of a botnet under the attacker’s control. The Trojan sets timers that delay the execution of the malicious payload. This is to make it less obvious that the trojanised game is responsible for the suspicious behavior.
“Some variants of Android/Mapin take minimum of three days to achieve full Trojan functionality. It may also be one of the reasons why the Trojan Downloader was able to evade Google’s Bouncer malware prevention system”, said Lukáš Štefanko, Malware Researcher at ESET.
The backdoor Trojan was able to sneak in Google Play and several alternative Android markets multiple times as one of the following popular games: Plants vs zombies, Plants vs Zombies 2, Subway suffers, Traffic Racer, Temple Run 2 Zombies, Super Hero Adventure, Candy Crush, Jewel Crush, Racing Rivals and others. Trojan pretends to be a Google Play Update or an application named Manage Settings.
“Not all of its functionality has been fully implemented. There is a possibility that this threat is still under development and the Trojan may be improved in the future”, concludes Štefanko.
ESET report reveals that the Trojan was available for download from the official Google Play Store by the end of 2013 and 2014 as Hill climb racing the game, Plants vs zombies 2, Subway suffers, Traffic Racer, Temple Run 2 Zombies and Super Hero Adventure by the developers TopGame24h, TopGameHit and SHSH. The malware was uploaded to Google Play on November 24-30, 2013 and November 22, 2014. The Trojans were eventually pulled from the Google Play store, but were undetected for nearly a year and a half. ESET researchers presume because of this and similar cases, Google announced that as of March 2015, all apps and updates must pass human review.
“Smartphones are prone to malware just as any other intelligent devices, and India particularly is the second largest and fastest growing market for smartphones with Android being the leader among other platforms. All this attracts the attention of cyber criminals who also take advantage of many users in India being unaware about cyber threats and ways to protect themselves from such threats,” said Zakir Hussain, Head of ESS Distribution, official distributor of ESET products in India.
“To prevent devices from being infected with malware users should keep devices’ operating systems up to date, install reliable anti-malware protection and be careful when downloading and installing applications, games, and even watching videos. Whenever any application shows suspicious behavior, asks for extra permissions or pushes installations, user should be alert. Such applications can have malicious intentions.”
